Block Porn with Proxy Auto Configuration Files


How to block undesirable web sites by filtering key words. For free.

    You don't need to spend money to stop your kids from accidentally browsing to a porn site. You don't even need to install a new program. The magic is done with a file called a "Proxy Auto Configuration" (PAC) file.

    A PAC file contains some JavaScript code that lets your browser know what route is has to take to connect to different sites on the Internet. For most home users, the browser normally connects directly to a web site. However, it's also possible to have the browser connect to a "proxy" computer that gets the web content and passes it back to your browser. If you connect through a proxy, the proxy can act as an intelligent "man in the middle", blocking pornography and viruses. Sounds great, huh? What's the catch? Well, the companies that control proxy servers usually charge you money to use those proxy servers. That takes all the fun out of it...

    Now that you understand a bit about proxies and PAC files, maybe you see a way out! What if the PAC file told your browser it could connect directly to a site like, but told your browser it had to use a non-existent proxy to connect to Then every time you tried to browse to, your browser wouldn't find the proxy, so couldn't make the connection!

    The PAC file has to contain (built in to the JavaScript) all the "bad" words you want to filter and block. The filtering is done to the URL, not to the web page body.  So a page like this (which has to word "porn" in it) would get through because the URL ( doesn't have any bad words in it. Okay? Nothing is perfect. But the good part is that because the words are checked against the entire URL, that means you can't bypass this filter by searching through Google and viewing Google's cached results.

    The list of bad words isn't just words: The words are buried pretty deep in JavaScript code. But it is plain-text, so you can add and subtract words with nothing more than the Windows "notepad" program. Here's a few (tame) lines from the PAC file:

BadURL_Parts[i++] = "busty";
BadURL_Parts[i++] = "celeb";
BadURL_Parts[i++] = "centerfold";

    I bet you'll have no problem figuring out how to modify those words to suit your own needs. You just open up Notepad (Under "Start", "Programs", "Accessories"), then drag the PAC file (named "proxy") into Notepad. Save it when your done. Your computer may freeze for a few seconds after you save the file, and you may have to restart your browser to make your changes active, but that's all there is to it.



Automatic Download, Installation, and Configuration Script
    The script will offer to automatically download the most recent pac file from and the most recent hosts file from It will put the downloaded files in the right place and make sure they have the right names. It will offer to create editing shortcuts for the files. It will also offer to configure Internet Explorer to use the new PAC file. What's more, the script will offer to place a batch file in the "All Users" startup folder to automatically configure the browsers of everybody else who logs in on the computer. The script will only set up "LAN" settings (DSL, broadband, cable, or satellite) and will not affect dialup connections. It will only set up the Internet Explorer browser and won't affect FireFox or any other browser. If you need support for dialup or other browsers, you can use the script to get most of the work done, but you'll need to follow the "dialup" and "other browsers" part of the installation instructions below (green text) to finish the job. PAC / Proxy file
I used to have a proxy file I offered, but this one is better, so I got rid of mine. and my site both link to each other, but we have very different ideas about how to install the PAC file. You can either do it my way (the automatic script above or the instructions below) or do it their way. Both will work. I like to hide the proxy file to keep it away from kids. likes to put it in a central location to make it easier to edit and maintain. You decide what fits your situation best.


1.   Where to put the PAC file
Most people who discuss PAC files are kind of vague about where to put them or what to name them. I'm going to be specific. The PAC file should be named "proxy" with no file extension and it should be in the same folder as your "hosts" file. Why? This puts it in a folder normally reserved for system files (which is good, because this is a system file), the lack of a file extension makes it look like all the other files there (so it won't attract attention), and the lack of a file extension makes it difficult for kids to open. The folder we are discussing is located here:
XP C:\Windows\system32\drivers\etc\
2000 C:\WINNT\system32\drivers\etc\
98/ME C:\Windows\

2.   Configure your browser to use the PAC file

In the Internet Explorer menu, select "Tools", then "Internet Options", then go to the "Connections" tab. Click the "Settings..." or "LAN Settings..." button depending on whether you have broadband or a dialup connection. If you aren't sure, you can do both.

Check the "Use automatic configuration script" box and enter the location of your PAC file. You must use the "file://" protocol when specifying your file location. It's a little awkward to type in because all the slashes go the "wrong way", but when you get done, you should have something like this:
XP file://C:/Windows/system32/drivers/etc/proxy
2000 file://C:/WINNT/system32/drivers/etc/proxy
98/ME file://C:/Windows/proxy

If you have cable broadband or DSL, you may want to do this for both the "LAN Settings" and "Settings" so you can't bypass everything by going through a dialup connection!

If you only have dialup, you still may want to do this for the "LAN Settings" so it will all be ready when you upgrade next year.

If you have a browser other than IE, the settings will be different, but not so much that you can't figure it out. For example, on FireFox, you go to the menu and select "Tools", then "Options", then select the "General" category, click the "Connection Settings" button, select "Automatic proxy configuration URL", and enter the path to your PAC file. Pretty simple.

3.   Define your local intranet security zone
Microsoft wrongly assumes that if there is a proxy (even one that doesn't exist), anything that doesn't use the proxy must be in your local intranet. Wrong! That would be a very bad thing from a security point of view! Typical Microsoft. We need to fix that. In the Internet Explorer menu, select "Tools", then "Internet Options", then open the "Security" tab. Select the "Local intranet" icon, then hit the "Sites" button. Remove the check from  the "Include all sites that bypass the proxy server" box.

4. Disable Proxy Caching
When IE sees that a proxy is needed for a web site, it uses the same proxy again later for the same web site. Normally, that's a good thing; a time-saver. For our purposes, it's ruinous! If I do a Google search for "sex", I want the PAC file to block it by directing the browser to a bad proxy. If IE remembers that proxy, that means it will continue blocking Google, even if I later search for "flowers". We need to force IE to look in the PAC file every time to decide whether a proxy is needed or not! If you want to do it manually by making a registry change, you can read If you do, you'll end up with a result like this:

Notice that the registry section shown is for the current user. That means you'll have to change this setting for all your users. Generally this means you'll have to actually log in as every user and effect this setting. Of course, you could write a script to do it and put it in the "All Users Startup" or in the HKLM run section, but we're talking about manually installing things here. 

If you don't want to manually edit the registry, John R. Lo Verso (who is the grand master of PAC files and quite a few other things) has created a registry file:
You can run it directly from the web or download it and double-click it. This registry file will not only turn off proxy caching, but it will add an "Automatic Proxy Configuration" entry in your advanced Internet properties window (which you can see to the right). Of course, this is still a per-user setting, so you'll have to make sure every user that has a separate login gets the same treatment.

As you can see by the label for "no-ads" (to the right), John writes his PAC files to block Internet advertising. I write mine to block Internet porn. It's not really difficult to combine both jobs into a single PAC file, but I've got a few problems with it:
  1. If I combined them for you, I might be seen as passing off John's excellent work as my own.
  2. I use a "hosts" file to do most of my advertising blocking. The PAC file approach is more versatile, but the "hosts" file is a lot easier to maintain, modify, and merge new data. My laziness keeps me using a hosts file.
  3. A "hosts" file covers the entire machine. All applications. All users. A PAC file has to be set up for each connection method, each application, and each user. So... Ummm... If you want to provide exceptions for certain applications or browsers (like if your wife does Women's health research or you use a different browser than the kids use), you use a PAC file. When you run across a site that is universally annoying or just flat out evil and dangerous, you put it in the hosts file. The hosts file and pac file have different jobs and I like using both of them. You should too.

5. Empty your browser's cache
This is really optional. If you've been to a porn site, the page and pictures are in your cache. If you go there again, even if the PAC file blocks it, your browser could show you the old data. If you haven't been to a porn site, you don't need to worry about emptying your cache!
  • In IE, go to the menu and select "Tools", then "Internet Options". On the "General" tab in the "Temporary Internet files" section, click the "Delete files..." button.
  • In FireFox, go to the menu and select "Tools", "Options", and click the "Privacy" icon. Hit the "Clear" button on the "Cache" tab.
  • In some other browser, figure it out yourself!

6. Set up a dummy proxy server
The only reason you may need to do this is if you use this pac file solution on something other than IE, FireFox, or Mozilla. If you do, and if that other application seems to hang, you may need to get a real proxy server. Another reason to set up a dummy server is if you don't like to see error messages in your web pages! The simplest proxy server is "Homer". Naturally, I've made a Homer auto-installation script that will download and install Homer correctly for you.
The great thing about Homer is that it returns a blank image to replace the ad or porn image that might have originally displayed. This stops the error from being displayed and gives you "nothing" in return. It also has a log to show you what URLs are being blocked.

    Resources: PAC files and Hosts files

John Lo Verso's "Bust Banner Ads with Proxy Auto Configuration" web page:

Sheryl Canter's "Kill Internet Ads with HOSTS and PAC Files" article:

Homer LocalHost web server (prevents visible error messages when you block sites)

Larry Wang's Black Hole Proxy for use with PAC or HOSTS files:

Pyrenean's eDexter local image server for use with PAC or HOSTS files:

"WebWasher Classic" Internet filter program is free for personal use:

Open Source "Privoxy" is a true proxy that can handle multiple computers:

Pyrenean's DNSKong personal DNS server can return dummy IP addresses for known web sites:

Internet Filter's list of over 400,000 known porn web sites:

Script to save the Internet Filter porn list as a text file with one site per line:


Lost? Look at the site map.

Bad links? Questions? Send me mail.

Ask Jeeves